Though the group appears to have broken up into smaller cells in the interest of evading law enforcement detection, Conti will likely go down as the most active group of its kind during the pandemic era with at least 850 successful attacks since 2020, according to a new report from security firm Group-IB
One of Conti’s most successful periods was from late November to late December 2021, a period that the researchers called “ARMattack,” hitting at least 40 companies during the holiday shopping period.
Much of the group’s success is owed to it being one of the first to adopt a “corporate” structure of sorts, mimicking the functions and departments of a legitimate business. The group worked seven days a year during its run, appearing to only take New Year’s Eve off to celebrate, and was usually active for more than half of every day.
Conti ransomware attacks net the group over $1 billion
Conti appeared to maintain its around-the-clock schedule of ransomware attacks with a very organized division of labor managed by an internal human resources department. Certain staff were dedicated to not just onboarding new employees, but also motivating and managing them (including the use of performance awards). They also used legitimate job listing sites to hire temporary contractors for small elements of work that were siloed from the ransomware operation.
Based in Russia, the group also displayed patriotic fervor for their government’s military adventures and honored the standard unspoken cyber criminal agreement of not attacking anyone in that country or in allied countries. The gang’s combination of industriousness, organization and prudence led to it holding a treasure hoard of some one billion dollars (as revealed by leaked internal documents earlier this year).
Everything that has been documented about the group paints a picture of dedicated professionals that made an incredibly lucrative industry out of ransomware attacks. The hackers are as serious as any legitimate corporation about research and development, marketing, and talent recruitment among other operational aspects. They are not kids playing games in between high school classes.
Conti established a reputation for fast attacks, custom tools
By the end Conti has refined its operations to get through ransomware attacks and regularly secure payment in just a few days. The group appears to have put a good deal of its stolen money into development of its own custom tools that are difficult for automated defenses to detect.
Other groups doing ransomware attacks made a bigger splash in the news, for example by compromising critical infrastructure, but Conti appears to have had the most sustained success in recent years and will likely go down as having the highest victim count (if not the highest earnings as well).
While Conti no longer exists as an organization, the people behind it are thought to have filtered out to numerous other smaller groups and are expected to continue to be active. They will likely continue ransomware attacks in similar patterns: a strong preference for targets in the United States (nearly two out of five Conti victims over time), a focus on certain sectors (such as manufacturing and real estate), and operating ransomware-as-a-service models that allow lower-skilled criminals to participate.